Odoo Server (MOVED TO GITHUB)

Question about Str concatenated with list object

Asked by John Chen

Hi OpenERP Team

I have some question about python coding. (Just copy part of the code as sample)
In this code below we can see
1. str(vals['order_id'])
2. str(ids[0])
3. float(query['price_unit'])

1. def create(self, cr, user, vals, context=None):
         if ('order_id' in vals):
             cr.execute("SELECT revision_no FROM purchase_order WHERE id = " + str(vals['order_id']))

2. def create(self, cr, user, vals, context=None):
         if ('order_id' in vals):
             cr.execute("SELECT revision_no FROM purchase_order WHERE id = " + str(ids[0]))

3. cr.execute("select price_unit, packaging_qty from purchase_order_line where id = " + str(ids[0]))
         for query in cr.dictfetchall():
             if query['price_unit']:
                 polprice_unit = float(query['price_unit'])

Question:
1. is the method in writing for the python coding is okay?
2. Will this cause str cannot concatenated with list object error?

Thanks

John Chen

Question information

Language:
English Edit question
Status:
Solved
For:
Odoo Server (MOVED TO GITHUB) Edit question
Assignee:
No assignee Edit question
Solved by:
Serpent Consulting Services
Solved:
Last query:
Last reply:
Revision history for this message
Best Serpent Consulting Services (serpent-consulting-services) said : 		#1

Hello John,

As you might already be aware that this error is caused when you try to concatenate a String and a list object.

I would suggest you to use '%s' when using cr.execute() which will replace your values from records in the query string.

For e.g.

 cr.execute("SELECT revision_no FROM purchase_order WHERE id = %s", (ids[0],))

Hope this would help.

Kindly check it with the solution and notify us regarding the result.

Thanks.
Serpent Consulting Services

Revision history for this message
John Chen (john-chen2011) said : 		#2

Thanks serpent for once again helping me :)

1. So str(ids[0]) really can cause str concatenated with list object error?
2. and str(ids[0]) is not recommended to use?

Thanks

John Chen

Revision history for this message
Numérigraphe (numerigraphe) said : 		#3

As a general rule, always use placeholders in SQL queries: if I understood it right, that protects you not only from coding errors, but also from SQL injection attacks.
Lionel Sausin.

Revision history for this message
Serpent Consulting Services (serpent-consulting-services) said : 		#4

Hello John,

1. It will cause error only if the concatenation parameters contain string and list.

2. Yes. It is not recommended to use when using a query because it is vulnerable for SQL injections.

Thanks
Serpent Consulting Services.

Revision history for this message
John Chen (john-chen2011) said : 		#5

Thanks OpenERP Team

It is great to have you guys in this answer launchpad.

Thanks

John Chen

Revision history for this message
John Chen (john-chen2011) said : 		#6

Thanks Serpent Consulting Services, that solved my question.

Revision history for this message
Serpent Consulting Services (serpent-consulting-services) said : 		#7

Welcome John.